Image by Soumil Kumar from Pexels
tl;dr
The tl;dr is:
# read the YubiKey
echo "Press your YubiKey"
read -rs YUBIKEY
What is a YubiKey?
A YubiKey is a device made by Yubico intended as a form of MFA.
Generally, it's a USB device that is used to obtain access to sensitive resources.
Scripting a YubiKey
Yubico provides a cli, ykman, for the YubiKey. The intention of ykman is to allow IT administrators to configure YubiKeys for their organizations.
I thought that it would be cool to have some shell scripts around for common APIs within my organization, but some of these require a credential generated from my YubiKey. My logic was that perhaps ykman could script the YubiKey credential generation for me.
I googled for an hour and only came up with a couple discussions about this. Unfortunately, one of them held some bad news:
I don't think there is a way to programmatically get a YubiOTP from the YubiKey
from discussion on ykman issue 400
The solution
The solution is a quick-and-dirty "silent read" from the terminal:
# read the YubiKey
echo "Press your YubiKey"
read -rs YUBIKEY
echo "Thank you"
I thought I'd post that in case someone else goes searching for it in the future.
Top comments (3)
This also depends on which authentication method you're using your Yubikeys for.
In my particular case, I use it as my private SSH key, so the "button" auth text generation doesn't really mean a whole lot to me.
Yubikeys can be tied directly into the SSH client, so the private key verification happens entirely on the key, and the key also prevents extraction of the private key which allows it to remain secured.
This also means I can hop on virtually any terminal in the world, insert my yubikey, and have direct SSH access back to my infrastructure. Remove the Yubikey, and that machine no longer has access, regardless of if it were to be compromised or not.
That's really cool! Did you buy a personal YubiKey for this purpose? The one I have is controlled by my enterprise. I may buy a second one for myself.
I actually own four separate Yubikeys for different purposes, all self purchased.
Got one on my personal Windows desktop, one on my personal MacBook Air, one on my "work" laptop, and the last one stays on my key chain so its mobile with me wherever I go.
Each have a separate private/public key pair, and I have a text file available in a git repo that contains all 4 public keys, so it is an easy copy-paste from there into whatever service I want any (or all) keys associated with.
Each key is also a different model, so I have experience with many of their various styles :)